---
title:  Firewalls and Ports
---

<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements.  See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->

Make sure your port settings are configured correctly for firewalls.

<a id="concept_5ED182BDBFFA4FAB89E3B81366EBC58E__section_F9C1D7419F954DC1A305C34714C8615C"></a>
There are several different port settings that need to be considered when using firewalls:

-   Port that the cache server listens on. This is configurable using the `cache-server` element in cache.xml, on the CacheServer class in Java APIs, and as a command line option to the `gfsh start server` command.

    By default, if not otherwise specified, Geode clients and servers discover each other on a pre-defined port (**40404**) on the localhost.

-   Locator port. Geode clients can use the locator to automatically discover cache servers. The locator port is configurable as a command-line option to the `gfsh start locator` command. Locators are used in the peer-to-peer cache deployments to discover other processes. They can be used by clients to locate servers as an alternative to configuring clients with a collection of server addresses and ports.

    By default, if not otherwise specified, Geode locators use the default multicast port **10334**.

-   Since locators start up the distributed system, locators must also have their ephemeral port range and TCP port accessible to other members through the firewall.
-   For clients, you configure the client to connect to servers using the client's pool configuration. The client's pool configuration has two options: you can create a pool with either a list of server elements or a list of locator elements. For each element, you specify the host and port. The ports specified must be made accessible through your firewall.

## **Limiting Ephemeral Ports for Peer-to-Peer Membership**

By default, Geode assigns *ephemeral* ports, that is, temporary ports assigned from a designated range, which can encompass a large number of possible ports. When a firewall is present, the ephemeral port range usually must be limited to a much smaller number, for example six. If you are configuring P2P communications through a firewall, you must also set the TCP port for each process and ensure that UDP traffic is allowed through the firewall.

## **Properties for Firewall and Port Configuration**

This table contains properties potentially involved in firewall behavior, with a brief description of each property. Click on a property name for a link to the reference topic.

<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="34%" />
</colgroup>
<thead>
<tr class="header">
<th><strong>Configuration area</strong></th>
<th><strong>Property or Setting</strong></th>
<th><strong>Definition</strong></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>peer-to-peer config</td>
<td><p><code class="ph codeph">conserve-sockets</code></p></td>
<td><p>Specifies whether sockets are shared by the system member's threads.</p></td>
</tr>
<tr class="even">
<td>peer-to-peer config</td>
<td><p><code class="ph codeph">locators</code></p></td>
<td><p>The list of locators used by system members. The list must be configured consistently for every member of the distributed system.</p></td>
</tr>
<tr class="odd">
<td>peer-to-peer config</td>
<td><p><code class="ph codeph">mcast-address</code></p></td>
<td><p>Address used to discover other members of the distributed system. Only used if mcast-port is non-zero. This attribute must be consistent across the distributed system.</p></td>
</tr>
<tr class="even">
<td>peer-to-peer config</td>
<td><p><code class="ph codeph">mcast-port</code></p></td>
<td><p>Port used, along with the mcast-address, for multicast communication with other members of the distributed system. If zero, multicast is disabled for data distribution.</p></td>
</tr>
<tr class="odd">
<td>peer-to-peer config</td>
<td><p><code class="ph codeph">membership-port-range</code></p></td>
<td><p>The range of ephemeral ports available for unicast UDP messaging and for TCP failure detection in the peer-to-peer distributed system.</p></td>
</tr>
<tr class="even">
<td>peer-to-peer config</td>
<td><p><code class="ph codeph">tcp-port</code></p></td>
<td><p>The TCP port to listen on for cache communications.</p></td>
</tr>
</tbody>
</table>

<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Configuration Area</th>
<th><strong>Property or Setting</strong></th>
<th><strong>Definition</strong></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>cache server config</td>
<td><p><code class="ph codeph">hostname-for-clients</code></p></td>
<td><p>Hostname or IP address to pass to the client as the location where the server is listening.</p></td>
</tr>
<tr class="even">
<td>cache server config</td>
<td><p><code class="ph codeph">max-connections</code></p></td>
<td><p>Maximum number of client connections for the server. When the maximum is reached, the server refuses additional client connections.</p></td>
</tr>
<tr class="odd">
<td>cache server config</td>
<td><p><code class="ph codeph">port</code> (cache.xml) or <code class="ph codeph">--port</code> parameter to the <code class="ph codeph">gfsh start server</code> command</p></td>
<td><p>Port that the server listens on for client communication.</p></td>
</tr>
</tbody>
</table>

## Default Port Configurations

<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th><p><strong>Port Name</strong></p></th>
<th>Related Configuration Setting</th>
<th><p><strong>Default Port</strong></p></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cache Server</p></td>
<td><p><code class="ph codeph">port</code> (cache.xml)</p></td>
<td>40404</td>
</tr>
<tr class="even">
<td><p>HTTP</p></td>
<td><code class="ph codeph">http-service-port</code></td>
<td>7070</td>
</tr>
<tr class="odd">
<td><p>Locator</p></td>
<td><code class="ph codeph">start-locator</code> (for embedded locators) or <code class="ph codeph">--port</code> parameter to the <code class="ph codeph">gfsh start locator</code> command.</td>
<td><em>if not specified upon startup or in the start-locator property, uses default multicast port 10334</em></td>
</tr>
<tr class="even">
<td><p>Membership Port Range</p></td>
<td><code class="ph codeph">membership-port-range</code></td>
<td>1024 to 65535</td>
</tr>
<tr class="odd">
<td><p>Memcached Port</p></td>
<td><code class="ph codeph">memcached-port</code></td>
<td><em>not set</em></td>
</tr>
<tr class="even">
<td><p>Multicast</p></td>
<td><code class="ph codeph">mcast-port</code></td>
<td>10334</td>
</tr>
<tr class="odd">
<td><p>RMI</p></td>
<td><code class="ph codeph">jmx-manager-port</code></td>
<td>1099</td>
</tr>
<tr class="even">
<td><p>TCP</p></td>
<td><code class="ph codeph">tcp-port</code></td>
<td>ephemeral port</td>
</tr>
</tbody>
</table>

## **Properties for Firewall and Port Configuration in Multi-Site (WAN) Configurations**

Each gateway receiver uses a port to listen for incoming communication from one or more gateway senders communication between Geode sites. The full range of port values for gateway receivers must be made accessible within the firewall from across the WAN.

This table contains properties potentially involved in firewall behavior, with a brief description of each property. Click on a property name for a link to the [gemfire.properties and gfsecurity.properties (Geode Properties)](../../reference/topics/gemfire_properties.html#gemfire_properties) reference topic.

<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Configuration Area</th>
<th><strong>Property or Setting</strong></th>
<th><strong>Definition</strong></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td>multi-site (WAN) config</td>
<td><p>[hostname-for-senders](../../reference/topics/gfe_cache_xml.html#gateway-receiver)</p></td>
<td><p>Hostname or IP address of the gateway receiver used by gateway senders to connect.</p></td>
</tr>
<tr class="even">
<td>multi-site (WAN) config</td>
<td>[remote-locators](../../reference/topics/gemfire_properties.html#gemfire_properties)</td>
<td><p>List of locators (and their ports) that are available on the remote WAN site.</p></td>
</tr>
<tr class="odd">
<td>multi-site (WAN) config</td>
<td><p>[start-port](../../reference/topics/gfe_cache_xml.html#gateway-receiver) and [end-port](../../reference/topics/gfe_cache_xml.html#gateway-receiver) (cache.xml) or <code class="ph codeph">--start-port</code> and <code class="ph codeph">--end-port</code> parameters to the <code class=" ph codeph">gfsh start gateway receiver</code> command</p></td>
<td><p>Port range that the gateway receiver can use to listen for gateway sender communication.</p></td>
</tr>
</tbody>
</table>

## Default Port Configuration

<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th><p><strong>Port Name</strong></p></th>
<th>Related Configuration Setting</th>
<th><p><strong>Default Port</strong></p></th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Gateway Receiver</p></td>
<td><p>[start-port](../../reference/topics/gfe_cache_xml.html#gateway-receiver) and [end-port](../../reference/topics/gfe_cache_xml.html#gateway-receiver) (cache.xml) or <code class="ph codeph">--start-port</code> and <code class="ph codeph">--end-port</code> parameters to the <code class="ph codeph">gfsh start gateway receiver</code> command</p></td>
<td><em>not set</em> Each gateway receiver uses a single port to accept connections from gateway senders in other systems. However, the configuration of a gateway receiver specifies a range of possible port values to use. Geode selects an available port from the specified range when the gateway receiver starts. Configure your firewall so that the full range of possible port values is accessible by gateway senders from across the WAN.</td>
</tr>
</tbody>
</table>


